<?xml version="1.0" encoding="iso-8859-1" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <meta http-equiv="Content-Type" content=
    "application/xhtml+xml; charset=iso-8859-1" />
    <title>
      OpenSSH-8.2p1
    </title>
    <link rel="stylesheet" type="text/css" href="../stylesheets/lfs.css" />
    <meta name="generator" content="DocBook XSL Stylesheets V1.78.1" />
    <link rel="stylesheet" href="../stylesheets/lfs-print.css" type=
    "text/css" media="print" />
  </head>
  <body class="blfs" id="blfs-2020-04-02">
    <div class="navheader">
      <h4>
        Beyond Linux<sup>�</sup> From Scratch <span class="phrase">(System
        V</span> Edition) - Version 2020-04-02
      </h4>
      <h3>
        Chapter&nbsp;4.&nbsp;Security
      </h3>
      <ul>
        <li class="prev">
          <a accesskey="p" href="nss.html" title="NSS-3.51">Prev</a>
          <p>
            NSS-3.51
          </p>
        </li>
        <li class="next">
          <a accesskey="n" href="p11-kit.html" title=
          "p11-kit-0.23.20">Next</a>
          <p>
            p11-kit-0.23.20
          </p>
        </li>
        <li class="up">
          <a accesskey="u" href="security.html" title=
          "Chapter&nbsp;4.&nbsp;Security">Up</a>
        </li>
        <li class="home">
          <a accesskey="h" href="../index.html" title=
          "Beyond Linux� From Scratch     (System V Edition) - Version 2020-04-02">
          Home</a>
        </li>
      </ul>
    </div>
    <div class="sect1" lang="en" xml:lang="en">
      <h1 class="sect1">
        <a id="openssh" name="openssh"></a>OpenSSH-8.2p1
      </h1>
      <div class="package" lang="en" xml:lang="en">
        <h2 class="sect2">
          Introduction to OpenSSH
        </h2>
        <p>
          The <span class="application">OpenSSH</span> package contains
          <span class="command"><strong>ssh</strong></span> clients and the
          <span class="command"><strong>sshd</strong></span> daemon. This is
          useful for encrypting authentication and subsequent traffic over a
          network. The <span class="command"><strong>ssh</strong></span> and
          <span class="command"><strong>scp</strong></span> commands are
          secure implementations of <span class=
          "command"><strong>telnet</strong></span> and <span class=
          "command"><strong>rcp</strong></span> respectively.
        </p>
        <p>
          This package is known to build and work properly using an LFS-9.1
          platform.
        </p>
        <h3>
          Package Information
        </h3>
        <div class="itemizedlist">
          <ul class="compact">
            <li class="listitem">
              <p>
                Download (HTTP): <a class="ulink" href=
                "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.2p1.tar.gz">
                http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.2p1.tar.gz</a>
              </p>
            </li>
            <li class="listitem">
              <p>
                Download MD5 sum: 3076e6413e8dbe56d33848c1054ac091
              </p>
            </li>
            <li class="listitem">
              <p>
                Download size: 1.6 MB
              </p>
            </li>
            <li class="listitem">
              <p>
                Estimated disk space required: 43 MB (add 17 MB for tests)
              </p>
            </li>
            <li class="listitem">
              <p>
                Estimated build time: 0.2 SBU (Using parallelism=4; running
                the tests takes 17+ minutes, irrespective of processor speed)
              </p>
            </li>
          </ul>
        </div>
        <h3>
          OpenSSH Dependencies
        </h3>
        <h4>
          Optional
        </h4>
        <p class="optional">
          <a class="xref" href="../general/gdb.html" title=
          "GDB-9.1">GDB-9.1</a> (for tests), <a class="xref" href=
          "linux-pam.html" title="Linux-PAM-1.3.1">Linux-PAM-1.3.1</a>,
          <a class="xref" href="../x/installing.html" title=
          "Chapter&nbsp;24.&nbsp;X Window System Environment">X Window
          System</a>, <a class="xref" href="mitkrb.html" title=
          "MIT Kerberos V5-1.18">MIT Kerberos V5-1.18</a>, <a class="ulink"
          href="http://www.thrysoee.dk/editline/">libedit</a>, <a class=
          "ulink" href="http://www.libressl.org/">LibreSSL Portable</a>,
          <a class="ulink" href=
          "https://github.com/OpenSC/OpenSC/wiki">OpenSC</a>, and <a class=
          "ulink" href=
          "http://www.citi.umich.edu/projects/smartcard/sectok.html">libsectok</a>
        </p>
        <h4>
          Optional Runtime (Used only to gather entropy)
        </h4>
        <p class="optional">
          <a class="xref" href="../general/openjdk.html" title=
          "OpenJDK-12.0.2">OpenJDK-12.0.2</a>, <a class="xref" href=
          "../basicnet/net-tools.html" title=
          "Net-tools-CVS_20101030">Net-tools-CVS_20101030</a>, and <a class=
          "xref" href="../general/sysstat.html" title=
          "Sysstat-12.3.1">Sysstat-12.3.1</a>
        </p>
        <p class="usernotes">
          User Notes: <a class="ulink" href=
          "http://wiki.linuxfromscratch.org/blfs/wiki/OpenSSH">http://wiki.linuxfromscratch.org/blfs/wiki/OpenSSH</a>
        </p>
      </div>
      <div class="installation" lang="en" xml:lang="en">
        <h2 class="sect2">
          Installation of OpenSSH
        </h2>
        <p>
          <span class="application">OpenSSH</span> runs as two processes when
          connecting to other computers. The first process is a privileged
          process and controls the issuance of privileges as necessary. The
          second process communicates with the network. Additional
          installation steps are necessary to set up the proper environment,
          which are performed by issuing the following commands as the
          <code class="systemitem">root</code> user:
        </p>
        <pre class="root">
<kbd class="command">install  -v -m700 -d /var/lib/sshd &amp;&amp;
chown    -v root:sys /var/lib/sshd &amp;&amp;

groupadd -g 50 sshd        &amp;&amp;
useradd  -c 'sshd PrivSep' \
         -d /var/lib/sshd  \
         -g sshd           \
         -s /bin/false     \
         -u 50 sshd</kbd>
</pre>
        <p>
          Install <span class="application">OpenSSH</span> by running the
          following commands:
        </p>
        <pre class="userinput">
<kbd class="command">./configure --prefix=/usr                     \
            --sysconfdir=/etc/ssh             \
            --with-md5-passwords              \
            --with-privsep-path=/var/lib/sshd &amp;&amp;
make</kbd>
</pre>
        <p>
          The testsuite requires an installed copy of <span class=
          "command"><strong>scp</strong></span> to complete the multiplexing
          tests. To run the test suite, first copy the <span class=
          "command"><strong>scp</strong></span> program to <code class=
          "filename">/usr/bin</code>, making sure that you backup any
          existing copy first.
        </p>
        <p>
          To test the results, issue: <span class="command"><strong>make
          tests</strong></span>.
        </p>
        <p>
          Now, as the <code class="systemitem">root</code> user:
        </p>
        <pre class="root">
<kbd class="command">make install &amp;&amp;
install -v -m755    contrib/ssh-copy-id /usr/bin     &amp;&amp;

install -v -m644    contrib/ssh-copy-id.1 \
                    /usr/share/man/man1              &amp;&amp;
install -v -m755 -d /usr/share/doc/openssh-8.2p1     &amp;&amp;
install -v -m644    INSTALL LICENCE OVERVIEW README* \
                    /usr/share/doc/openssh-8.2p1</kbd>
</pre>
      </div>
      <div class="commands" lang="en" xml:lang="en">
        <h2 class="sect2">
          Command Explanations
        </h2>
        <p>
          <em class="parameter"><code>--sysconfdir=/etc/ssh</code></em>: This
          prevents the configuration files from being installed in
          <code class="filename">/usr/etc</code>.
        </p>
        <p>
          <em class="parameter"><code>--with-md5-passwords</code></em>: This
          enables the use of MD5 passwords.
        </p>
        <p>
          <code class="option">--with-pam</code>: This parameter enables
          <span class="application">Linux-PAM</span> support in the build.
        </p>
        <p>
          <code class="option">--with-xauth=/usr/bin/xauth</code>: Set the
          default location for the <span class=
          "command"><strong>xauth</strong></span> binary for X
          authentication. Change the location if <span class=
          "command"><strong>xauth</strong></span> will be installed to a
          different path. This can also be controlled from <code class=
          "filename">sshd_config</code> with the XAuthLocation keyword. You
          can omit this switch if <span class="application">Xorg</span> is
          already installed.
        </p>
        <p>
          <code class="option">--with-kerberos5=/usr</code>: This option is
          used to include Kerberos 5 support in the build.
        </p>
        <p>
          <code class="option">--with-libedit</code>: This option enables
          line editing and history features for <span class=
          "command"><strong>sftp</strong></span>.
        </p>
      </div>
      <div class="configuration" lang="en" xml:lang="en">
        <h2 class="sect2">
          Configuring OpenSSH
        </h2>
        <div class="sect3" lang="en" xml:lang="en">
          <h3 class="sect3">
            <a id="openssh-config" name="openssh-config"></a>
          </h3>
          <h4 class="title">
            <a id="openssh-config" name="openssh-config"></a>Config Files
          </h4>
          <p>
            <code class="filename">~/.ssh/*</code>, <code class=
            "filename">/etc/ssh/ssh_config</code>, and <code class=
            "filename">/etc/ssh/sshd_config</code>
          </p>
          <p>
            There are no required changes to any of these files. However, you
            may wish to view the <code class="filename">/etc/ssh/</code>
            files and make any changes appropriate for the security of your
            system. One recommended change is that you disable <code class=
            "systemitem">root</code> login via <span class=
            "command"><strong>ssh</strong></span>. Execute the following
            command as the <code class="systemitem">root</code> user to
            disable <code class="systemitem">root</code> login via
            <span class="command"><strong>ssh</strong></span>:
          </p>
          <pre class="root">
<kbd class=
"command">echo "PermitRootLogin no" &gt;&gt; /etc/ssh/sshd_config</kbd>
</pre>
          <p>
            If you want to be able to log in without typing in your password,
            first create ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub with
            <span class="command"><strong>ssh-keygen</strong></span> and then
            copy ~/.ssh/id_rsa.pub to ~/.ssh/authorized_keys on the remote
            computer that you want to log into. You'll need to change
            REMOTE_USERNAME and REMOTE_HOSTNAME for the username and hostname
            of the remote computer and you'll also need to enter your
            password for the ssh-copy-id command to succeed:
          </p>
          <pre class="userinput">
<kbd class="command">ssh-keygen &amp;&amp;
ssh-copy-id -i ~/.ssh/id_rsa.pub <em class=
"replaceable"><code>REMOTE_USERNAME</code></em>@<em class=
"replaceable"><code>REMOTE_HOSTNAME</code></em></kbd>
</pre>
          <p>
            Once you've got passwordless logins working it's actually more
            secure than logging in with a password (as the private key is
            much longer than most people's passwords). If you would like to
            now disable password logins, as the <code class=
            "systemitem">root</code> user:
          </p>
          <pre class="root">
<kbd class=
"command">echo "PasswordAuthentication no" &gt;&gt; /etc/ssh/sshd_config &amp;&amp;
echo "ChallengeResponseAuthentication no" &gt;&gt; /etc/ssh/sshd_config</kbd>
</pre>
          <p>
            If you added <span class="application">Linux-PAM</span> support
            and you want ssh to use it then you will need to add a
            configuration file for <span class="application">sshd</span> and
            enable use of <span class="application">LinuxPAM</span>. Note,
            ssh only uses PAM to check passwords, if you've disabled password
            logins these commands are not needed. If you want to use PAM,
            issue the following commands as the <code class=
            "systemitem">root</code> user:
          </p>
          <pre class="root">
<kbd class=
"command">sed 's@d/login@d/sshd@g' /etc/pam.d/login &gt; /etc/pam.d/sshd &amp;&amp;
chmod 644 /etc/pam.d/sshd &amp;&amp;
echo "UsePAM yes" &gt;&gt; /etc/ssh/sshd_config</kbd>
</pre>
          <p>
            Additional configuration information can be found in the man
            pages for <span class="command"><strong>sshd</strong></span>,
            <span class="command"><strong>ssh</strong></span> and
            <span class="command"><strong>ssh-agent</strong></span>.
          </p>
        </div>
        <div class="sect3" lang="en" xml:lang="en">
          <h3 class="sect3">
            <a id="openssh-init" name="openssh-init"></a>
          </h3>
          <h4 class="title">
            <a id="openssh-init" name="openssh-init"></a><span class=
            "phrase">Boot Script</span>
          </h4>
          <p>
            To start the SSH server at system boot, install the <code class=
            "filename">/etc/rc.d/init.d/sshd</code> init script included in
            the <a class="xref" href="../introduction/bootscripts.html"
            title="BLFS Boot Scripts">blfs-bootscripts-20191204</a> package.
          </p>
          <pre class="root">
<kbd class="command">make install-sshd</kbd>
</pre>
        </div>
      </div>
      <div class="content" lang="en" xml:lang="en">
        <h2 class="sect2">
          Contents
        </h2>
        <div class="segmentedlist">
          <div class="seglistitem">
            <div class="seg">
              <strong class="segtitle">Installed Programs:</strong>
              <span class="segbody">scp, sftp, slogin (symlink to ssh), ssh,
              ssh-add, ssh-agent, ssh-copy-id, ssh-keygen, ssh-keyscan, and
              sshd</span>
            </div>
            <div class="seg">
              <strong class="segtitle">Installed Libraries:</strong>
              <span class="segbody">None</span>
            </div>
            <div class="seg">
              <strong class="segtitle">Installed Directories:</strong>
              <span class="segbody">/etc/ssh, /usr/share/doc/openssh-8.2p1,
              and /var/lib/sshd</span>
            </div>
          </div>
        </div>
        <div class="variablelist">
          <h3>
            Short Descriptions
          </h3>
          <table border="0" class="variablelist">
            <colgroup>
              <col align="left" valign="top" />
              <col />
            </colgroup>
            <tbody>
              <tr>
                <td>
                  <p>
                    <a id="scp" name="scp"></a><span class=
                    "term"><span class="command"><strong>scp</strong></span></span>
                  </p>
                </td>
                <td>
                  <p>
                    is a file copy program that acts like <span class=
                    "command"><strong>rcp</strong></span> except it uses an
                    encrypted protocol.
                  </p>
                </td>
              </tr>
              <tr>
                <td>
                  <p>
                    <a id="sftp" name="sftp"></a><span class=
                    "term"><span class=
                    "command"><strong>sftp</strong></span></span>
                  </p>
                </td>
                <td>
                  <p>
                    is an FTP-like program that works over the SSH1 and SSH2
                    protocols.
                  </p>
                </td>
              </tr>
              <tr>
                <td>
                  <p>
                    <a id="slogin" name="slogin"></a><span class=
                    "term"><span class=
                    "command"><strong>slogin</strong></span></span>
                  </p>
                </td>
                <td>
                  <p>
                    is a symlink to <span class=
                    "command"><strong>ssh</strong></span>.
                  </p>
                </td>
              </tr>
              <tr>
                <td>
                  <p>
                    <a id="ssh" name="ssh"></a><span class=
                    "term"><span class="command"><strong>ssh</strong></span></span>
                  </p>
                </td>
                <td>
                  <p>
                    is an <span class=
                    "command"><strong>rlogin</strong></span>/<span class=
                    "command"><strong>rsh</strong></span>-like client program
                    except it uses an encrypted protocol.
                  </p>
                </td>
              </tr>
              <tr>
                <td>
                  <p>
                    <a id="sshd" name="sshd"></a><span class=
                    "term"><span class=
                    "command"><strong>sshd</strong></span></span>
                  </p>
                </td>
                <td>
                  <p>
                    is a daemon that listens for <span class=
                    "command"><strong>ssh</strong></span> login requests.
                  </p>
                </td>
              </tr>
              <tr>
                <td>
                  <p>
                    <a id="ssh-add" name="ssh-add"></a><span class=
                    "term"><span class=
                    "command"><strong>ssh-add</strong></span></span>
                  </p>
                </td>
                <td>
                  <p>
                    is a tool which adds keys to the <span class=
                    "command"><strong>ssh-agent</strong></span>.
                  </p>
                </td>
              </tr>
              <tr>
                <td>
                  <p>
                    <a id="ssh-agent" name="ssh-agent"></a><span class=
                    "term"><span class=
                    "command"><strong>ssh-agent</strong></span></span>
                  </p>
                </td>
                <td>
                  <p>
                    is an authentication agent that can store private keys.
                  </p>
                </td>
              </tr>
              <tr>
                <td>
                  <p>
                    <a id="ssh-copy-id" name="ssh-copy-id"></a><span class=
                    "term"><span class=
                    "command"><strong>ssh-copy-id</strong></span></span>
                  </p>
                </td>
                <td>
                  <p>
                    is a script that enables logins on remote machine using
                    local keys.
                  </p>
                </td>
              </tr>
              <tr>
                <td>
                  <p>
                    <a id="ssh-keygen" name="ssh-keygen"></a><span class=
                    "term"><span class=
                    "command"><strong>ssh-keygen</strong></span></span>
                  </p>
                </td>
                <td>
                  <p>
                    is a key generation tool.
                  </p>
                </td>
              </tr>
              <tr>
                <td>
                  <p>
                    <a id="ssh-keyscan" name="ssh-keyscan"></a><span class=
                    "term"><span class=
                    "command"><strong>ssh-keyscan</strong></span></span>
                  </p>
                </td>
                <td>
                  <p>
                    is a utility for gathering public host keys from a number
                    of hosts.
                  </p>
                </td>
              </tr>
            </tbody>
          </table>
        </div>
      </div>
      <p class="updated">
        Last updated on 2020-02-15 10:01:33 -0600
      </p>
    </div>
    <div class="navfooter">
      <ul>
        <li class="prev">
          <a accesskey="p" href="nss.html" title="NSS-3.51">Prev</a>
          <p>
            NSS-3.51
          </p>
        </li>
        <li class="next">
          <a accesskey="n" href="p11-kit.html" title=
          "p11-kit-0.23.20">Next</a>
          <p>
            p11-kit-0.23.20
          </p>
        </li>
        <li class="up">
          <a accesskey="u" href="security.html" title=
          "Chapter&nbsp;4.&nbsp;Security">Up</a>
        </li>
        <li class="home">
          <a accesskey="h" href="../index.html" title=
          "Beyond Linux� From Scratch     (System V Edition) - Version 2020-04-02">
          Home</a>
        </li>
      </ul>
    </div>
  </body>
</html>
